This week, we feature a number of tools and articles that leverage Python to do the heavy lifting. So, if you're looking for scripts and applications to put the squeeze on some of that work load, this may be the article for you. In other news, Brian Krebs alerts us to new malware tricks, Jennifer Granick takes a legal look at recent hacking arrests, and the data center is alive at Dilbert.com.
If you have an interesting item you think should be included in the Digital Forensics Case Leads posts, you can send it to firstname.lastname@example.org.
- Last week, David Kovar announced the release of analyzeMFT 2.0, a python module for analyzing the Windows Master File Table ($MFT). This new version is object-oriented, and has been structured such that it can be imported "directly into the python interpreter to allow for manual interaction with the MFT." This update, courtesy of Matt Sabourin, "can also be imported into other python scripts that need to work with an MFT." In addition, some new command options have been added. See the announcement for details.
- William Ballenthin at Mandiant recently released Python-registry, a set of Python modules used for accessing and parsing Windows registry files such as SAM and NTUSER.dat (not to be confused with .reg files). This particular item could also easily be filed under the "Good Reads" section. You can, of course, go straight to downloading the tool from the link above, but I highly recommend you not touch that until you read William's excellent post over on Mandiant's M-unition blog, Tearing Up the Windows Registry with python-registry. His post briefly discusses the structure of the Windows registry file, then provides some Python-registry usage examples complete with code samples.
- Jennifer Granick has a lengthy post on last week's numerous "hacker" arrests and indictments, entitled "Big Day in Hacker News Brings Prosecutions Grand and Petty." In this post on the Zwillinger Genetski blog, Law Across the Wire and Into the Cloud, Ms. Granick provides some interesting legal perspective on cases such as the Anonymous DDoS of PayPal, the release of AT&T documents that were later distriubted by LulzSec, the compromise of the InfraGard Tampa's website, and Aaron Swartz's (founder of Reddit) download of journal articles from JSTOR. Her perspective in this article might be interpreted as either independent or defense-leaning, depending on your own perspective. One would assume that prosecutors will have a different take on some of the issues Ms. Granick identifies. Nevertheless, the questions she raises seem valid (at least from my limited, i-am-not-a-lawyer, perspective), and one would hope that the prosecution has prepared for them.
- Earlier this week, Neil Archibald posted a fairly geek-tastic article over on the Cisco Security blog. His post, somewhat innocuously titled Extracting EXE Drop Malware, discusses using Python and Yara to script the extraction of Windows executables embedded in other files such as MS Office documents, Shockwave Flash files, and image files. A comment I saw on Twitter questioned the use of a Yara signature to search for a simple text string (you'll see what I mean), but I think part of the point is to demonstrate the technique, which could also be leveraged for more complex signature searches. Neil then goes on to discuss using a virtual machine and Sandboxie to extract the executable by allowing the exploit to run and capturing the dropped executable. Both methods, of course, are designed to capture the malicious executable for further analysis.
- Harlan Carvey has announced his upcoming book, Windows Forensic Analysis - 3rd Edition (WFA 3/e), and provided an overview of the content.
- Krebs On Security: Trojan Tricks Victims Into Transferring Funds - This nasty little piece of malware tricks users into thinking that an erroneous transfer has been made to their accounts, and that they must transfer the money back (to an account the attackers control) in order to get their bank accounts unlocked. See Brian's post for more details.
- Forget About Big Brother It's Someone Much Closer You Have to Worry About - This study for the Retrevo Gadgetology Report suggests that those worried about the watchful eye of Apple, Google, or the government may also need to start worrying more about family and significant others. In a survey of 1000 respondents in the United States, the study found that over 30% of respondents have or would spy on their significant others' email or call history. It would be interesting, I think, to see how results from other countries would compare, but there's no mention of such a study being planned.
- Earlier this month, the U.S. Department of Defense released their Strategy for Operating in Cyberspace(PDF).
- Open Memory Forensics Workshop (OMFW) 2011, New Orleans, LA, July 31, 2011 (in conjunction w/ DFRWS below)
- Digital Forensics Research Workshop (DFRWS) 2011 - New Orleans, LA - August 1-3
- Blog contributor Ray Strubinger will be leading aMentor session of Security 504: Hacker Techniques, Exploits & Incident Handling - Atlanta, GA - August 4, 2011 - October 6, 2011
- SANS Boston 2011 - Boston, MA - August 6 - 15, 2011
- Paul Henry will be teachingSANS FOR 408: Computer Forensic Investigations - Windows In-Depth in Virginia Beach, VA - August 28 - September 2, 2011
- Dave Hull will be teachingSANS FOR 408: Computer Forensic Investigations - Windows In-Depth in Ottawa, ON - August 28 - September 2, 2011
- GrrCon - Midwest Information Security and Hacker Conference - Grand Rapids , MI - September 16 2011
- Paraben's Forensic Innovations Conference - Due Date - Aug 01, 2011
- 2011 secAU Security Congress - Due Date - Sept 30 2011
- 2012 American Academy of Forensic Sciences Annual Meeting - Due Date - Aug 01, 2011
- Techno Forensics Conference - the official CFP deadline has passed, but their web site indicates that a few speaking opportunities are still available and invites interested persons to contact the organizers.
Digital Forensics Case Leads is a (mostly) weekly publication of the week's news and events relating to digital forensics. If you have an item you'd like to share, please send it to email@example.com.
Digital Forensics Case Leads for 20110729 was compiled by Gregory Pendergast, forensicator, incident responder, and jack-0f-all-security at Virginia Commonwealth University. When not busy with his day job, Gregory also contributes book and product reviews to Digital Forensics Magazine and InfoSecReviews.com.